Shell Programming and Scripting

I'm trying - as an ordinary user - to create a file in the root directory of my system. For that purpose I wrote a simple script that echoes a string into a file. I made the file executable, used sudo to change ownership to root. Like this:

Code:

$ cat hello

#!/bin/bash
echo hello > /hello

$ ls -l hello
-rwxr-xr-x 1 pi pi 33 Nov 29 02:28 hello
$ sudo chown root hello
$ sudo chgrp root hello
$ sudo chmod u+s hello
$ ls -l
total 4
-rwsr-xr-x 1 root root 33 Nov 29 02:28 hello

In my understanding if I now run the script as an ordinary user it should run with root privileges and create that file.
However, I get this error message:

Code:

$ ./hello
./hello: line 3: /hello: Permission denied

It works, however, if I use sudo to run the script:

Code:

$ sudo ./hello
$ ls -l /hello
-rw-r--r-- 1 root root 6 Nov 29 02:46 /hello

What am I missing?

The first line of your script should be the #!/bin/bash; not the 2nd line. Since the 1st line of your script does not start with #!, the second line of your script is just a comment and has no effect on the program used to interpret your script.

The diagnostic you're seeing is from the echo. You don't have permission to overwrite your script with the echo since the echo is not running as the root user.

And, of course, giving a non-root user permission to overwrite a set-uid root script, allows any user on that system with that permission to do absolutely anything that user wants to do to that system. Please, never do this!

Of course I will never do this. I just try to understand how the set-user-id bit is used in principle - for example by /usr/bin/passwd et. al. Isn't that in principle the same approach?

My intention is not to overwrite my script but to write the string "hello" into the newly created file with filename hello in the root directory.

Why does the echo not run as the root user? It is in a script that belongs to the root user, is executable and the set-user-id bit is set.

How do I get this to work?

(And the #!/bin/bash was in the first line where it belongs. The code just looked a bit cramped so I added a line.)
And no, I will not do this in any serious context and give other users access to this kind of code. Never ever.

------ Post updated at 08:29 PM ------

I just read elsewhere that the operating system ignores the setuid bit for executable shell scripts - for security reasons. Understandable. If that is so then I'll try it in C. Just to check it out.

Yes, Linux ignores the suid bit on scripts. You need a binary that has setuid(0); because the suid bit sets the euid only.

(In contrast, setuid scripts do work on most if not all Unix versions.)

You still haven't told us what operating system you're using...

Some operating systems NEVER allow shell scripts to be run set-uid.

Some operating systems NEVER allow a running program to be overwritten.

Some operating systems only allow shells specified in a system file to be used to run set-uid scripts.

All of the above are possible reasons why what you're trying might not work on an unspecified operating system.

Worked like a charm:

Code:

#include <stdio.h>
#include <stdlib.h>

int main( int argc, char **argv ) { 

   FILE* fp = fopen( "/hi" , "w" );
   fprintf( fp, "%s\n", "hi there" );
   fclose ( fp );
   exit(1);
}

And then:

Code:

$ gcc hi.c
$ mv a.out sayHi
$ sudo chown root sayHi
$ sudo chgrp root sayHi
$ sudo chmod u+s sayHi
$ ls -l sayHi
-rwsr-xr-x 1 root root 8256 Nov 29 06:04 sayHi
$ ./sayHi
$ ls -l /hi
-rw-r--r-- 1 root pi 9 Nov 29 06:06 /hi
$ cat /hi
hi there
$

Alles klar.

------ Post updated at 10:23 PM ------

I wasn't sure what information was relevant. Originally I thought a shell script could be used to experiment but apparently not.
I'm using Bash v4.4 on a Raspberry Pi running Raspbian, a Debian based Linux distribution. And Bash v4.4 on Kali Linux (Stretch), also Debian based.

I'm actually not trying to overwrite a running program. It may have looked like that because originally I tried to write the string "hello" into a file with filename "hello" and the script was also named hello. My apologies for the confusion.